Does Istio support proxy protocol?

You may have to apply this:

apiVersion: networking.istio.io/v1alpha3kind: EnvoyFiltermetadata:  name: proxy-protocol  namespace: istio-systemspec:  workloadSelector:    labels:      istio: ingressgateway  configPatches:  - applyTo: LISTENER    patch:      operation: MERGE      value:        listener_filters:        - name: envoy.listener.proxy_protocol        - name: envoy.listener.tls_inspector

As my istio ingress gateway is behind AWS ELB, I also had to enable proxy protocol on ELB:

apiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata:  namespace: istio-systemspec:  profile: default  components:    ingressGateways:      - name: istio-ingressgateway        namespace: istio-system        enabled: true        # Copy settings from istio-ingressgateway as needed.  values:    gateways:      istio-ingressgateway:        serviceAnnotations:          # Note that Helm values (spec.values.gateways.istio-ingressgateway/egressgateway)          # are shared by all ingress/egress gateways.          # If these must be customized per gateway,          # it is recommended to use a separate IstioOperator CR          # Enable Prox protocol          service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"

If you will miss envoy.listener.tls_inspector you will get:

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxxopenssl: no peer certificate available